GuardDog is a CLI tool to Identify malicious PyPI and npm packages.

GuardDog is a CLI tool that allows to identify malicious PyPI and npm packages or Go modules. It runs a set of heuristics on the package source code (through Semgrep rules) and on the package metadata.
GuardDog can be used to scan local or remote PyPI and npm packages or Go modules using any of the available heuristics.

Related contents:

• Episode #497: sécurisation de la chaîne d’approvisionnement logicielle (software supply chain) @ NoLimitSecu .

Docker Scout is a solution for proactively enhancing your software supply chain security. By analyzing your images, Docker Scout compiles an inventory of components, also known as a Software Bill of Materials (SBOM). The SBOM is matched against a continuously updated vulnerability database to pinpoint security weaknesses.

• Enhancing Container Security with Docker Scout and Secure Repositories @ Docker blog .

Software Bill of Materials (SBOM) Analysis.

• Dependency-Track @ GitHub.
• Démarrer avec Dependency Track @ Culture et Outils DevSecOps .

OpenClarity is an open source platform to enhance security and observability of cloud native applications and infrastructure.

OpenClarity is an open source tool for agentless detection and management of Virtual Machine Software Bill Of Materials (SBOM) and security threats such as vulnerabilities, exploits, malware, rootkits, misconfigurations and leaked secrets.

• OpenClarity @ GitHub.

Related contents:

• voici un outil Open Source autour de la sécurité et l'observabilité @ Laurent M.'s LinkedIn .

KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. It scans both runtime K8s clusters and CI/CD pipelines for enhanced software supply chain security.

SBOM quality score - Quality metrics for your sboms.
sbomqs is your primary tool to assess an SBOM's quality and compliance. The higher the score the more consumable & compliant your SBOMs are.

Comprehensive Open Source Security and SBOM Management. Secure Your Products From Repo to Release.

Stop vulnerabilities, automate compliance, and mitigate third-party risk in your applications.

• FOSSA CLI @ GitHub.

Sigstore is an open source project for improving software supply chain security. The Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more. Signatures are generated with ephemeral signing keys so there’s no need to manage keys. Signing events are recorded in a tamper-resistant public log so software developers can audit signing events.

• Sigstore @ GitHub.
• Sigstore documentation.

Related contents:

• Streamline security with keyless signing and verification in GitLab @ GitLab.
• Annotate container images with build provenance using Cosign in GitLab CI/CD @ GitLab.
• Episode #497: sécurisation de la chaîne d’approvisionnement logicielle (software supply chain) @ NoLimitSecu .

A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.

• Syft - SBOM Generator @ Snapcaft.